This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:policies:infosec [2022/08/30 21:10] katcow |
wiki:policies:infosec [2023/12/13 21:15] (current) kholub |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Information Security | + | ====== Information Security |
===== Information Security Organization ===== | ===== Information Security Organization ===== | ||
Line 9: | Line 9: | ||
* Kathryn Cowie, Operations Lead | * Kathryn Cowie, Operations Lead | ||
* Stephen Mead, Lead Engineer | * Stephen Mead, Lead Engineer | ||
- | * Peace Olaniran, Data Associate | ||
* An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | * An external cybersecurity consultant, who has already been vetted and interviewed by Nested Knowledge, will be hired as an independent contractor if the needs of our information security organization expand. | ||
- | ==== | + | ==== Review: ==== |
All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | All policies will be reviewed on an annual basis or earlier, should a major system changed occur. | ||
Line 18: | Line 17: | ||
==== Personnel changes ==== | ==== Personnel changes ==== | ||
- | In the event of a change in role, a departure, or a new hire, oversight of the affected policies will be transfered | + | In the event of a change in role, a departure, or a new hire, oversight of the affected |
====== Data Protection Plan ====== | ====== Data Protection Plan ====== | ||
Line 44: | Line 43: | ||
==== Data Protection Officer (DPO) ==== | ==== Data Protection Officer (DPO) ==== | ||
- | The DPO, responsible for approving data processing projects, | + | The DPO, responsible for reviewing and approving data processing projects, |
+ | |||
+ | In brief, the DPO: | ||
+ | |||
+ | * Is made available for all product & support teams, for reporting & planning any changes to data processing | ||
+ | * Monitors for changes that are of consequence to our data processing policies, including: | ||
+ | * Code changes and releases | ||
+ | * Third party vendors & subprocessor additions | ||
+ | * Internal tooling & workflow changes | ||
+ | * Monitors subprocessor communications for terms and conditions and subprocessor updates | ||
+ | * Maintains records of compliance, associated directly with the issue tracker, processor record | ||
+ | * Reports to the CEO on activities and compliance on a regular basis | ||
+ | |||
+ | **DPO Email: | ||
==== Data Protection Impact Analysis Plan ==== | ==== Data Protection Impact Analysis Plan ==== | ||
Line 58: | Line 70: | ||
- **Scope of the processing: | - **Scope of the processing: | ||
- **Context of the processing: | - **Context of the processing: | ||
- | - *Purpose of the processing: | + | - **Purpose of the processing: |
- **Consultation Process** | - **Consultation Process** | ||
- describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | - describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involve within your organization? | ||
Line 85: | Line 97: | ||
Employee training requirements are based on the [[https:// | Employee training requirements are based on the [[https:// | ||
+ | |||
+ | ==== Communicating Updates ==== | ||
+ | |||
+ | As [[: | ||
====== Backup Plan ====== | ====== Backup Plan ====== | ||
Line 104: | Line 120: | ||
Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | Remote workers are responsible for ensuring that their remote systems are backed up on a periodic basis. | ||
- | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge | + | * It is recommended that all personal computers be backed up. Copies of the personal computer files should be uploaded to the Nested Knowledge |
=== Backup Strategies === | === Backup Strategies === | ||
Line 111: | Line 127: | ||
* Automated backup functions within software packages should be used where applicable. | * Automated backup functions within software packages should be used where applicable. | ||
* When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | * When a computer equipment is changed, consideration should be given to the backup media and data formats to ensure that they can still be restored. | ||
- | * The database | + | |
+ | === Database Back Ups === | ||
+ | |||
+ | Backups are generated as database | ||
+ | |||
+ | In addition to backups on our main cloud provider (AWS), we generate & store backups on a separate | ||
=== Restoration === | === Restoration === | ||
Line 117: | Line 138: | ||
* Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | * Authorization to restore data from backup media that would overwrite existing production data must be obtained from Data Owners. | ||
* Restoration of the current configuration must be within agreed recovery timescales | * Restoration of the current configuration must be within agreed recovery timescales | ||
- | * Restoration of the AutoLit database is tested with regularity | + | * Restoration of the AutoLit database is tested with quarterly |
+ | * Backups | ||
+ | * Evidence | ||
+ | |||
+ | **Testing** | ||
+ | |||
+ | Backup and restore procedures must be tested at least annually. Issues with backups identified should be documented and remediated. | ||
===== Revision History ===== | ===== Revision History ===== | ||
Line 123: | Line 150: | ||
^Author^Date of Revision/ | ^Author^Date of Revision/ | ||
|K. Cowie|11/ | |K. Cowie|11/ | ||
- | |K. Holub|11/17/2021|Review Completed| | + | |K. Holub|12/13/2023|Better defining DPO role| |
|K. Kallmes|11/ | |K. Kallmes|11/ | ||
+ | |P. Olaniran|11/ | ||
[[: | [[: | ||